Is there a way to do "sanity-checking" of values?
We sometimes face the problem that an alert contains wrong information in a field (such as an IP address as a "hostname"), and Siemplify will then create a hostname entity reading "1.2.3.4" due to our mapping.
However, further enrichments against this entity may fail, as they only work with hostnames but not IPs.
So basically we want to do a check if the value may actually be an IP address (i.e only consists of the characters 0-9 and .) - but how could we do this?
Page 1 / 1
I haven't tested this, but maybe there's something you can do with the regex extractions from the ontology screen
This comment was originally sent by Tom Fridman
Hi
@Marek_Kreul
Actually yes, Using "Extraction function", you can verify the field contains a valid IP address.
Attached a picture to demonstrate.
Here's the regex that been used:
^((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)(\\.(?!$)|$)){4}$
View files in slack
Hi
@Tomtomfridman
is there also a way to do it outside of this extraction, such as within a playbook action?
This comment was originally sent by Tom Fridman
You can't map entities in a playbook, but you can add entities to the alert with the action "Create Entity". For regex, you can use the action "String Functions" from the Functions powerup, which have a regex function
@Marek_Kreul
Thanks
@Tomtomfridman
but as far as I'm aware this only "transforms" the string based on the regex, it doesn't allow me to check if it matches a regex.
But thinking of it.... I'd have to "transform" the string with the "IP address" regex, and if it's empty, then I know that it is not an IP?
This comment was originally sent by Tom Fridman
With the regex extraction function, if the value doesn't match the regex, it will simply won't create an entity.
I understood - but what about the playbook action?
@Marek_Kreul
Hey! I'm trying to understand, what you want to achieve with the playbook action? Something like regex matching?
Like Tom mentioned, there's an action called "Strings Functions" with regex capabilities. If the action finds that the input matches the regex, it will return it, otherwise it won't. Python's re.match does the same thing, only return a boolean instead of the value itself.
That is the same behavior you will get in the extraction function. Like you said, it will not transform the data if the data is already in the right format. That way it will ignore anything that doesn't match the regex, basically acting like a "field validator".
ah ok, I didn't understand that
This was the missing piece, thanks!
No problem!
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.